mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-03 19:15:39 +00:00
ad9bfe2254
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see anthraxx/linux-hardened@104f44058f. This allows the Nix sandbox to function while reducing the attack surface posed by user namespaces, which allow unprivileged code to exercise lots of root-only code paths and have lead to privilege escalation vulnerabilities in the past. We can safely leave user namespaces on for privileged users, as root already has root privileges, but if you're not running builds on your machine and really want to minimize the kernel attack surface then you can set security.allowUserNamespaces to false. Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or setuid, and Firefox's silently reduces the security level if it isn't allowed (see about:support), so desktop users may want to set: boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
110 lines
3.3 KiB
Nix
110 lines
3.3 KiB
Nix
# A profile with most (vanilla) hardening options enabled by default,
|
|
# potentially at the cost of features and performance.
|
|
|
|
{ lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
meta = {
|
|
maintainers = [ maintainers.joachifm ];
|
|
};
|
|
|
|
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
|
|
|
nix.allowedUsers = mkDefault [ "@users" ];
|
|
|
|
environment.memoryAllocator.provider = mkDefault "scudo";
|
|
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
|
|
|
|
security.hideProcessInformation = mkDefault true;
|
|
|
|
security.lockKernelModules = mkDefault true;
|
|
|
|
security.protectKernelImage = mkDefault true;
|
|
|
|
security.allowSimultaneousMultithreading = mkDefault false;
|
|
|
|
security.forcePageTableIsolation = mkDefault true;
|
|
|
|
security.virtualisation.flushL1DataCache = mkDefault "always";
|
|
|
|
security.apparmor.enable = mkDefault true;
|
|
|
|
boot.kernelParams = [
|
|
# Slab/slub sanity checks, redzoning, and poisoning
|
|
"slub_debug=FZP"
|
|
|
|
# Overwrite free'd memory
|
|
"page_poison=1"
|
|
|
|
# Enable page allocator randomization
|
|
"page_alloc.shuffle=1"
|
|
];
|
|
|
|
boot.blacklistedKernelModules = [
|
|
# Obscure network protocols
|
|
"ax25"
|
|
"netrom"
|
|
"rose"
|
|
|
|
# Old or rare or insufficiently audited filesystems
|
|
"adfs"
|
|
"affs"
|
|
"bfs"
|
|
"befs"
|
|
"cramfs"
|
|
"efs"
|
|
"erofs"
|
|
"exofs"
|
|
"freevxfs"
|
|
"f2fs"
|
|
"hfs"
|
|
"hpfs"
|
|
"jfs"
|
|
"minix"
|
|
"nilfs2"
|
|
"qnx4"
|
|
"qnx6"
|
|
"sysv"
|
|
"ufs"
|
|
];
|
|
|
|
# Restrict ptrace() usage to processes with a pre-defined relationship
|
|
# (e.g., parent/child)
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
|
|
|
|
# Hide kptrs even for processes with CAP_SYSLOG
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
|
|
|
|
# Disable bpf() JIT (to eliminate spray attacks)
|
|
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
|
|
|
|
# Disable ftrace debugging
|
|
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
|
|
|
|
# Enable strict reverse path filtering (that is, do not attempt to route
|
|
# packets that "obviously" do not belong to the iface's network; dropped
|
|
# packets are logged as martians).
|
|
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
|
|
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
|
|
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
|
|
|
|
# Ignore broadcast ICMP (mitigate SMURF)
|
|
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
|
|
|
|
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
|
|
# setting is applied to interfaces added after the sysctls are set)
|
|
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
|
|
|
|
# Ignore outgoing ICMP redirects (this is ipv4 only)
|
|
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
|
|
}
|